Recently, I traveled to South Carolina to deliver a presentation on advanced threats and mitigation strategies and it wasn't long before the question-and-answer session turned to a discussion on ransomware.
One attendee wanted to know: Should businesses ever pay to recover encrypted files?
I stressed that victims should never pay ransoms because it only exacerbates an already out-of-control problem and there are never guarantees that files will be recovered after paying money to criminals.
After the session ended, an IT administrator for a local healthcare outfit approached me and pointedly told me his company was in the midst of paying the ransom after a pretty nasty infection and he wanted me to know that my "never pay" advice was impractical.
"It's really bad. We have no computers to use. All our backups are encrypted. It's a case of desperation. We either pay $800 or we spend thousands to rebuild systems and try to recover data. In practice, we have no choice but to pay the ransom," he explained. "Dude, it is real desperation. We simply can’t do business unless we pay."
It was a sobering moment that has stayed with me as I read multiple reports of US hospitals struggling to cope with malware attacks that encrypt files and other sensitive data. For hospitals, where being online and operational can be a life-or-death issue, the sense of desperation is entirely understandable.
Ransomware infections are growing at an alarming rate and experts say there's a new phase of this threat coming that will be even more devastating for large and small businesses alike.
Over the last two years, the FBI processed about 4,200 ransomware complaints and estimated victims lost more than $47 million. That's just the ones that filed a complaint. In reality, the majority of ransomware infections go unreported, meaning that this could already be a billion dollar cybercrime business.
"Right now, ransomware is absolutely an epidemic. Organizations, for a variety of reasons, are not in a good position to be able to defend against it," says Jason Lidow, president at The DigiTrust Group, a global managed services consultancy.
Hospitals are an obvious target because of the desperation factor and a general lax approach to computer security.
"Hospitals are dealing with legacy software and hardware mixtures in their environments. It’s difficult, if not impossible to keep healthcare legacy software up to date. Hospitals have specific application packages that are expensive or too complicated to replace. Some of them are operating on Windows XP without patches," Mr. Lidow explained.
Costin Raiu, director of the research team at Kaspersky Lab (where I work), agrees. "It’s so much easier to infect a network full of unpatched software. Hospitals are among the least protected. They're running old, old versions of Windows. They have X-ray machines and other medical devices running on old servers with no usernames and default passwords," Mr. Raiu said, noting that hospitals are scrambling to pay the ransoms because retaining and securing patient data is such a crucial part of their operations.
For Santiago Pontiroli, a Kaspersky Lab malware researcher who specializes in tracking ransomware variants, basic computer security hygiene is also a big part of the problem. "Businesses will say they have backups but they will leave those backups connected to the shared drives and then the backups get encrypted."
"If you as the user can access the file and you have write access to that file, so can the ransomware. It doesn’t matter if the file is on Dropbox, shared drives, local drives or USB sticks, the ransomware will get to it," Mr. Pontiroli explained.
As a rule of thumb, he suggests that backups should be done on offline drives that should be unplugged and stored away immediately. "Even your cloud stored files are at risk. If your service doesn’t support file versioning, the ransomware can overwrite your files with an encrypted version and it’s game over."
As consumers and businesses struggle to come to grips with the ransomware epidemic, there's an inevitability brewing that will leave everyone feeling the burn.
Experts are predicting that ransomware miscreants will merge with out-of-work APT (advanced persistent threat) operators to cause major damage to global companies, even those with dedicated security teams.
Imagine a world where a ransomware group has access to elevate permissions and go after organizations' best backup plans. It is logical that the booming success of the ransomware business will attract the more organized groups who are already skilled at targeted distributions.
To combat this next phase, businesses and consumers need to have a multilayered approach to staying safe. The use of modern antimalware technology with proactive protections is a no brainer along with regularly backing up important files and making sure they are stored offline. Add in a tinge of common sense when it comes to clicking on attachments and strange links and you can minimize your exposure to risk.
Which brings me back to paying ransoms.
I still believe that shelling out cash to cybercriminals is always a bad idea that makes things worse. But if your entire business is at stake, maybe you should have a rainy day ransomware fund as part of your security backup plan.
Ryan Naraine is the head of the global research and analysis team Kaspersky Lab USA.